httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <m...@catseye.org>
Subject Re: [users@httpd] How to find if Revision 1179239 patch is in place
Date Mon, 13 Feb 2012 23:00:41 GMT
On February 13, 2012 17:28 , Murthy Ganti 
<murthy.ganti@cbsinteractive.com> wrote:
> I am trying to find out if one of my Apache installation is vulnerable 
> to CVS-2011-4317 or not. The description of this vulnerability says 
> that this vulnerability exists in "2.2.x through 2.2.21, when the 
> Revision 1179239 patch is in place".
> My question is how do I determine if this Revision patch is in place 
> or not by looking at the source code for our installation ( I have 
> 2.2.17 and 2.2.19 installed)

If you see the following lines (the ones in green in the right-hand 
column) in the file server/protocol.c then the revision 1179239 patch is 
in place:  
https://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?r1=1178566&r2=1179239&pathrev=1179239&diff_format=h

The most likely situation in which this would be the case is if you are 
using a version of Apache HTTP Server that is patched for you by an 
upstream distributor and you upgraded to a version in which the 
distributor back-ported the fix for CVE-2011-3368 but you did not 
upgrade to a version in which the distributor back-ported the fix for 
CVE-2011-4317.

Or, this could arise if you compile 2.2.17 or 2.2.19 from source 
yourself and you patched the source to fix CVE-2011-3368 thus creating 
the vulnerability described in CVE-2011-4317 but you did not apply the 
patch to fix CVE-2011-4317 for some reason, despite applying other fixes.

--
   Mark Montague
   mark@catseye.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message